Simple Log Service (SLS) uses Key Management Service (KMS) to encrypt data at rest and supports SSL/TLS-based HTTPS encrypted transmission to protect data from potential security risks in the cloud.
Server-side encryption
SLS supports the following server-side encryption mechanisms:
-
Encryption with service keys provided by SLS
SLS automatically generates and manages a unique data encryption key for each Logstore. The key never expires.
Supported encryption algorithms: AES (default) and SM4.
-
Encryption with Bring Your Own Key (BYOK)
Create a customer master key (CMK) in the KMS console and grant SLS the required permissions. SLS uses the CMK to generate data encryption keys through the KMS API. If you delete or disable the CMK, the BYOK key becomes invalid and all read and write requests to the Logstore fail.
Important
If the CMK generated by KMS BYOK becomes invalid, all read and write requests to the Logstore will fail.
For more information, see Data encryption.
SSL/TLS-based HTTPS encrypted transmission
SLS supports access over HTTP or HTTPS. SSL/TLS provides confidentiality and integrity for all communication channels.
The following access methods support encrypted transmission:
-
Logtail
Logtail is the log collection agent provided by SLS. To prevent tampering during transmission, Logtail retrieves a private token from the server over an HTTPS channel and signs all log data packets before sending.
-
SDKs
SLS provides SDKs in multiple programming languages, including Java, Python, .NET, PHP, and C. All SDKs support reading from and writing to SLS over HTTPS.
-
Data shipping to OSS
Data shipping to OSS involves two legs. The first leg moves data from SLS storage to the SLS shipping service within the SLS cluster — this internal transfer is protected from tampering. The second leg transmits data between SLS and OSS over HTTPS, where a private token is retrieved from the server and all log data packets are signed.